Perennial Favorites

Article Categories

Wednesday, September 28, 2016

Pale Moon Version 26.5.0 Released with Security Updates

Pale Moon has been updated to Version 26.5.0. The update includes two Defense-in-Depth (DiD) fixes. "Defense-in-Depth" is a fix that does not
apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by
the same code when surrounding code changes, exposing the problem.

Made
checking for invalid PNG files more strict. Pale Moon will now reject
more PNG files that have corrupted/invalid data that could otherwise
lead to potential security issues.

Changed the way paletted image frames are allocated so the space is cleared before it's used. DiD

Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD

Fixed several memory safety issues and crashes.

Fixes/Changes:

Implemented a breaking CSP
(content security policy) spec change; when a page with CSP is loaded
over http, Pale Moon now interprets CSP directives to also include https
versions of the hosts listed in CSP if a scheme (http/https) isn't
explicitly listed. This breaks with CSP 1.0 which is more restrictive
and doesn't allow this cross-protocol access, but is in line with CSP 2
where this is allowed.

Fixed an issue with the XML parser where
it would sometimes end up in an unknown state and throw an error (e.g.
when specific networking errors would occur).

Improved the performance of canvas poisoning by explicitly parallelizing it.